Can internal PinePhone firmware be compromised?

[fsflover]

Perhaps a stupid question. Is there any firmware in PinePhone which could be compromised by the OS? For example, I heard that a compromised OS on a laptop can compromise BIOS, which makes the computer insecure without recurse (and you won't know it unless you have Anti Evil Maid).

Let's say I install some untrusted OS on the eMMC, use it, then wipe it. After that I boot from a trusted microSD, can I be sure that I am not compromised?

I am also thinking about such a use case: I have untrusted OS on the eMMC, where I collect all the viruses I want. When I need to do something security-critical (e.g., open my email), I insert a microSD with a bootable trusted OS, use it and then remove the microSD again returning to the initial untrusted OS. Would such access to the email be secure?

[ryo]

All software available to the public can be compromised, and unless it's something almost nobody uses, all software will be compromised at some point in time.
Privacy, security, and freedom is never ethernal, and it's never a gift.
Both the consumer and developer have to fight for it forever.

[LinAdmin2]

The firmware in the Quectel modem can be changed and therefore it can also be corrupted.

I have not heard of any way how the bootloader could be compromised?
If that is not the case, eMMC always can be cleaned.

[evilbunny]

Let's say I install some untrusted OS on the eMMC, use it, then wipe it. After that I boot from a trusted microSD, can I be sure that I am not compromised?

Unlike regular computers, ARM systems have all the bios-y info stored on the emmc/sdcard, as @LinAdmin2 pointed out the modem has it's own firmware,  but that can be reflashed as well.

[dallytaur]

Would there be a way to lock down modem firmware with a dip switch seems like a major target

[LinAdmin2]

Let's say I install some untrusted OS on the eMMC, use it, then wipe it. After that I boot from a trusted microSD, can I be sure that I am not compromised?

Unlike regular computers, ARM systems have all the bios-y info stored on the emmc/sdcard,

Wrong;
The ARM system must have some initial loader to start reading from eMMc or sd.card.

[evilbunny]

Let's say I install some untrusted OS on the eMMC, use it, then wipe it. After that I boot from a trusted microSD, can I be sure that I am not compromised?

Unlike regular computers, ARM systems have all the bios-y info stored on the emmc/sdcard,

Wrong;
The ARM system must have some initial loader to start reading from eMMc or sd.card.

I'm led to believe boot is hard coded into the chip. The rest is on emmc/sdcard.

[wibble]

https://linux-sunxi.org/Pine64#Boot_sequence
https://linux-sunxi.org/BROM#A64